GDPR came into force on the 25 May 2018. It gives individuals more rights and protection in how their personal data is used and stored by organizations. GDPR places greater obligations on how organizations handle ‘personal data’ so if you gather any information about a church congregation then you will need to understand your responsibilities under GDPR.
ChurchPad is church admin software used by churches in the UK. Whilst GDPR requires ongoing compliance and best practice for those in the church that handle personal data, ChurchPad can help keep your church compliant with the GDPR. By storing all your church data in one secure system, it means data is only accessible to those who are authorised to access it within the church. This access is controlled by the super-user within the church.
Those who need to access personal information for their members, teams or groups can be given that access to that part of ChurchPad. This means they no longer have to have spreadsheets stored on their computers and then emailed between people.
All personal data stored on ChurchPad is encrypted and you can find out more on our security page.
The church/legal entity is the Data Controller and ChurchPad is the Data Processor.
Our Responsibilities and Data Protection Features
We require every church to specify who their data controller is. This could be an individual, or a sub-committee of Trustees. This will help highlight to churches that they need a data controller (or someone acting in that capacity) and it gives us someone to talk to in case any data protection issues arise.
We will ask for specific consent for processing the individual’s data with a privacy notice which will be customisable for your Church. New users will need to agree on first login, and existing user will need to accept when they next log in. If you change your policy, you can even trigger the consent box to appear again.
Age of Consent
The GDPR states that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves and instead consent is required from a person holding ‘parental responsibility’. This has been reduced in the UK to 13. We ask all new registrations for their DOB so that we can make sure no one under that age will be able to register themselves.
Erasure and Rectification
We provide an option in the user’s profile where they can request to be deleted from the system. This is to help with the ‘right to be forgotten’. If this request is made the administrator will be notified and they will be able to log in and complete the process in the admin area to completely remove the user from all ChurchPad systems.
Security and Vulnerabilities
All our services run through SSL ensuring your data is encrypted as it travels over the net. We also run a suite of penetration tests on our servers and services ensuring they are protected against vulnerabilities such as SQL injection, CSRF and privilege escalation. See our Security page to see how we protect your data
Data Protection by design
All features of ChurchPad have been built with privacy in mind. By default, members have to opt in to be shown in the Church Directory and even then, they can choose what information is shared. A member’s email address is hidden where possible and forms are provided for inter-member communication. These small features are there to ensure a member’s information isn’t leaked out where it shouldn’t be.
Accurate and Up to date
Personal data must be accurate and kept up to date. Organizations should have a process for ensuring this. This can be handled automatically in ChurchPad with the click of a button. Check out our video for how to check your members Details.